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Abstract. We study the practical effectiveness of privacy amplification 
for classical key-distribution schemes. We find that in contrast to quan- 
tum key distribution schemes, the high fidelity of the raw key generated 
in classical systems allow the users to always sift a secure shorter key if 
they have an upper bound on the eavesdropper probability to correctly 
guess the exchanged key-bits. The number of privacy amplification it- 
erations needed to achieve information leak of 10 -8 in existing classical 
communicators is 2 or 3 resulting in a corresponding slowdown 4 to 8. 
We analyze the inherent tradeoff between the number of iterations and 
the security of the raw key. This property which is unique to classical key 
distribution systems render them highly useful for practical, especially 
for noisy channels where sufficiently low quantum bit error ratios are 
difficult to achieve. 

1 Introduction 

The ability of a secure communication system to protect the information 
being transferred through it is primarily determined by the encryption 
key and the ability of the users (Alice and Bob) to keep it secret from 
a potential eavesdropper (Eve). In fact, under the strictest conditions, 
the key is the only element of the encryption scheme which is assumed 
to be unknown to the adversaries and, as such, constitute the last and 
only line of defense of the data. Although absolute information security 
requires an encryption key which is as long as the message (i.e., the one- 
time-pad) [1] , it is clear that for practical reasons it is desired to employ 
a shorter key. Regardless the specific encryption algorithm, achieving 
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Table 1. The physical quantities characterizing the channel state in the three classical 
key distribution schemes and the distinguishable states. 

Method Channel signal (the physical quantity of the channel state) 
and the types of states 

KLJN mean-square voltage noise or current noise amplitude, 
HH, LL, LH — HL = S 

UFL frequency and power of lasing, 
HH, LL, LH — HL = S 

Liu cross-correlation of noise signals emitted by Alice and Bob, 

HH = LL, LH = HL = S 



higher security level requires that the adversary has minimal information 
on the encryption key. 

The most profound challenge in achieving secure communication is prob- 
ably the distribution of this key between the users [1]. Secure commu- 
nication between the users cannot take place without a key, but the 
distribution of this key seems to necessitate the existence of a secure 
communication channel. In attempt to resolve this loophole, much effort 
has been focused on the development of physical-layer key-distribution 
scheme. Quantum key distribution (QKD) [2, 3] is probably the most well 
known scheme although recently, alternative concepts employing classi- 
cal physics have been proposed and demonstrated [4-14]. For example, 
the demonstration of the Kirchhoff-Law- Johnson- (like)-Noise based key 
distribution system at 2000km range resulted in 99.98% fidelity [6], or 
recent studies on ultralong fiber laser classical key distribution schemes 
have demonstrated ranges exceeding 200km with potential key establish- 
ing rates of hundreds bits per second [15]. 

Whether quantum or classical, all the physical-layer key-distribution 
schemes provide a relatively low key establishing rate. Therefore, for 
practical reasons, Alice and Bob cannot afford discarding a partially ex- 
posed key and it is, thus, desired to develop an algorithm to purify a 
partially exposed key even at the expense of the key length. 
Privacy amplification (PA) [16] is an example for an algorithm which 
provides this ability. One of the simplest PA algorithms is replacing the 
original key by a shorter one which bits are the product of the XOR 
operation between two successive bits of the original key (see, e.g., [17]). 
The length of the new key is half of that of the original one but Eve's 
knowledge on the new key is substantially reduced (see section 3). We 
mathematically analyze this simple algorithm and show for the three 
existing classical key-distribution schemes [4-14] that a practically sat- 
isfactory approach of 0.5 (i.e., zero information) can be reached by 4-8 
times slowdown for the state-of-the-art physical realizations of these sys- 
tems. Notice that for eavesdropper probability 0.5, Eve obtains indeed 
zero information on the key because this probability is equal to generat- 
ing her own key bits by using an unbiased random coin. 



Although PA is essentially a classical scheme, it was developed primarily 
as an accessory tool for QKD in order to purify a partially exposed key. 
However, because of the fragile nature of quantum states the very same 
one which provides Alice and Bob with the ability to detect the presence 
of Eve, the ability of Alice and Bob to purify their key is limited by the 
quantum bit error ratio (QBER). In particular, it has been shown that 
if the QBER exceeds a certain value (which depends on the particular 
QKD scheme), then classical PA cannot be used to sift a shorter, secure 
key from the raw one. 

On the other hand, in classical key distribution schemes Alice and Bob 
are unable to detect a passive eavesdropper because, unlike QKD, the 
activity of such adversary does not necessarily induce errors in the key- 
exchange protocol. 

However, Alice and Bob can set an upper bound p on the probability of 
Eve to correctly identify an exchanged key-bit and therefore, can set a 
bound on the maximal knowledge Eve could have gained on the raw key. 
This bound can be in turn used in a PA scheme to reduce Eve knowledge 
on the key to any desired level provided that the fidelity F of the key 
exchanged between Alice and Bob is sufficiently large to allow that. 
In this paper, we study the employment of PA to classical key-distribution 
schemes. We show that the inherent robustness of such scheme - the one 
which prevents Alice and Bob from detecting the presence of Eve, pro- 
vides them with the ability to sift a secret key from the raw one for any 
exposure probability as long as the fidelity F = 1. The direct implication 
is that classical key distribution schemes can facilitate secure communi- 
cation in difficult and noisy channel conditions which are beyond the 
capabilities of QKD schemes. In section 2 we briefly describe the prop- 
erties of classical key-distribution schemes. In section 3 we describe and 
analyze the PA scheme we use and in section 4 we summarize the results 
and conclude. 

2 Secure classical key exchange protocols 

Currently there are three classical secure key distribution methods which 
have been published; in chronological order: the Kirchhoff-Law-Johnson- 
(like)-Noise (KLJN) [4-7], the Ultra- long-Fiber-Laser (UFL) [8-11], and 
the Pao-Lo Liu (Liu) [12-14] schemes. In all these schemes, Alice and Bob 
are interacting with the channel via a classical physical quantity while 
they are monitoring some properties of the channel (i.e. the channel 
"status"). The channel status depends on the actions of Alice and Bob. 
Alice and Bob can choose between two different types of operations on 
the channel, which correspond to the H and the L bits. Choosing different 
interaction types, namely HL or LH, results in identical channel state 
S while the other action combinations, namely HH and LL result in 
different channel states. Eve cannot directly observe Alice's and Bob's 
actions on the channel but she can learn the interaction types in the case 
of LL and HH. In the LH and HL cases, Eve does not know which side 
has the L and which one the H. However, Alice and Bob know their own 
bit value and thus, when they observe the S channel state, they know 
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Fig. 1. To utilize the small information leak due to non- idealities, Eve measures and 
compares the channel signals at the two ends (KLJN) or the propagating signals in the 
two directions (UFL and Liu). 



that the other side has the opposite bit. It is important to note that, 
in these systems, the fidelity of key exchange between Alice and Bob 
can approach 100% depending on how good statistics (how long clock 
time) are devoted to the exchange of a single bit. The exception from 
this situations is the case of invasive attack by Eve [1,2] which will be 
addressed at the end of this section. 

Table 1 shows the physical quantities characterizing the channel state in 
the three classical key distribution schemes mentioned above. The KLJN 
and UFL systems have 3 different distinguishable states while the Liu 
protocol has 2. 

It should be noted that the successful operation of the three classical 
scheme requires a high degree of temporal synchronization between the 
actions taken by Alice and Bob. Though this is doable with today's 
technology, practical solutions, with ramping the signals up [6] at the 
beginning of the clock signal and down at the end of that, do not require 
perfect synchronization. 

In a practical physical secure layer, due to non-idealities, finite clock 
speed, etc., there is some information leak [18], which Eve can utilize 
to gain information, see Figure 1. In the KLJN system [4-7] Eve can 
utilize the small difference of the noise signal at the two ends of the wire 
[19, 20] due to wire resistance, capacitance and inductance. In the UFL 
scheme [8-11], comparison of the spectra serves as information for Eve [8]. 
Similarly, in the Liu scheme [12-14], there is some information about the 
bits of Alice and Bob in the interrelation of the signals sent / reflected by 
Alice and Bob, respectively [12-14,21]. 

In the ideal case, where there is no information leak, Eve's success prob- 
ability of guessing the key bits is p — 0.5 which means that she obtains 
zero information on the key. In realistic cases, the actual information 
leak toward Eve [6] can be calculated by the Shannon formula for digital 
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p (probability of correct guess by Eve) 

Fig. 2. C e // S is the fraction of information leaked by each exchanged key bit toward 
Eve versus the probability of her correct guess. In the case of error-free key exchange 
between Alice and Bob, C e / f s is the ratio of information channel capacity between 
Alice/Bob toward Eve and that of the key exchange between Alice and Bob. 

channels [18]: 

C e = f s [1 + plog 2 p+(l-p) log 2 (1 - p)} , 

where C e is the information channel capacity, f a is the frequency of 
exchanged key bits, p is the probability of correct bit guess by Eve and 
1 — p is her error probability (see, also, Figure 2). 
As a practical goal of PA in the present paper, we set the limit of 

Ce/f. < 1CT 8 , 

which corresponds to 

p» 0.5006 . (1) 

Another important aspect of security of these secure key exchange pro- 
tocols is the defense against invasive attacks [4] including the man-in- 
the-middle attack [5]. In order to have an effective protection of each of 
the key bits, they broadcast the channel signal [4, 5] in as many public 
channels as possible and compare the broadcasted signals, see Figure 3. 
As a result they have complete information about the channel signal seen 
at the other end. During the comparison they can detect any invasive 
manipulation on the channel signal that can be utilized by Eve and thus 
they can discard the related bit if necessary [4, 5]. 

For PA, the topic of this paper, this broadcasting is highly beneficial 
because it allows Alice and Bob to know exactly what would be the 
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Public broadcast channels 




Fig. 3. Alice and Bob are broadcasting and comparing the channel signals (analog 
quantities) seen by them to defend against any invasive attack and to approach 100% 
fidelity. 



decision of the other end on the channel state: secure or not. If they see 
that their decision is going to be different, they discard the bit. Thus, in 
this way they rectify the errors in the key exchange between them and 
approach 100% fidelity. 



3 The PA algorithm 

In this section we first describe the privacy amplification algorithm based 
on iteratively replacing the original key by shorter one using the binary 
XOR operation and then demonstrate its practical effectiveness for the 
state-of-the-art secure classical key exchange schemes such as the KLJN, 
Liu, and UFL. The input to the algorithm consists of the following three 
parameters: 

(i) the length L > of the key to be generated, 

(ii) an upper bound p (0.5 < p < 1) on the probability of correct iden- 
tification of a bit by Eve, and 

(iii) a user defined upper bound e > on the distance from the zero 
information point 0.5. 

We assume that the values for these input parameters are known for all 
parties of the communications, including Eve. Given L, p, and e, the goal 
of Alice and Bob is to generate and exchange a secure key of length L 
such that the probability of Eve to correctly identify any particular bit 
of the key is at most 0.5 + e. 

Our estimations of p (i.e., Eve's probability to correctly guess the bits of 
the raw key) are based on experimental and simulation studies for the 
three key distribution systems: 

— For the KLJN scheme p was experimentally studied in a 2000km 
laboratory model line [6]. It was found to be 0.525 with fidelity of 
99.98%. 

— For the UFL scheme a full-scale 50km system was studied experi- 
mentally [10], yielding a raw-key guess probability of 0.65 with 99.4% 
fidelity. 
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— For the Liu scheme, the raw-key guess probability was studied by 
performing computer simulations in MATLAB for various values of 
the system parameters [12]. For the strategically identified parameter 
values reported in [12], p was found to be 0.573 with 91.8% fidelity. 

For e, we use the value 0.0006 based on the practical considerations 

discussed in the previous section (see, also, (1)). 

Given p and e, Alice and Bob first calculate a positive integer k — k(p, e) 
defined below and then generate, for each bit B; of the final key (1 < 
i < L), a sequence Si consisting of 2 fe raw bits. By raw bits we mean bits 
with eavesdropping probability at most p. High risk bits, i.e., for which 
this probability is larger than p, are disregarded (see, e.g., KLJN [4]). 
From S° = Si, Alice and Bob compute the binary strings 

Si = F(S°) 
St = F(Sl) 



S- = FiS^ 1 ) 

and define the ith bit Bi of the final key to be Sf , where 

F(6i6 2 6 3 • • • M = b'i&2 • • • b' n with b' 3 = XOR(6 2j -i, fey) 
for every j = 1, . . . , n. 

We first show that the probability of Eve to correctly guess the key-bits 
decreases monotonically with each iteration of the PA algorithm. More 
precisely, we prove by induction on I that, for every bit B of S\, 

Pr(Eve correctly identifies B) < P l {p) (2) 

for all / > 1, where 



P(x) = 2a; 2 -2x + l 



and 



P\x) 



P(x) if I = 1 

PiP'-^x)) o/w. 

For the base case 1 = 1, any bit b'j = XOR(&2j-i, &2j) of Sj is cor- 
rectly identified either by correctly identifying both raw bits &2j-i and 
&2j or by incorrectly identifying both of them, as XOR(&2j_i, bij) = 
XOR(& 2 j-i, &2j). Thus, assuming that Eve correctly identifies a raw bit 
with probability q, the probability that Eve correctly identifies b'j is 

q 2 + (1 - qf = P(q) . 

Since 0.5 < q < p, we have P(q) < P(p) and thus, (2) holds for / = 1. The 
proof for the induction step can be shown by using similar arguments. 
We now show that lim P l (p) = 0.5 for every p G [0.5, 1). One can easily 

check that 

(i) P(x) < x holds for every x £ [0.5, 1) and 

(ii) P(x) is strictly monotonically increasing on the interval [0.5, 1). 
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Thus, for every p E [0.5, 1), the sequence 

P,P(p),P 2 (p),P s (p),... (3) 

is strictly monotonically decreasing. To show that it converges to the 
desired value 0.5, let 

A(x) = x - P(x) = -2x 2 + 3x - 1 

and consider the case that 0.75 < p < 1. Since A is (strictly) mono- 
tonically decreasing on the interval [0.75,1), there must be a positive 
integer 

[p_a75" 

- 4(p) 

satisfying P ( (p) < 0.75. 

Let lo be the smallest such integer if p > 0.75; otherwise let lo = 0. To 
show that the sequence in (3) is convergent, it suffices to show that the 
subsequence 

P l °(p),P l ° +1 (p),... (4) 

is convergent. 

We first note that, for every 0.5 < xi, X2 < 0.75 we have 

|P(zi) - P(x 2 )\ = 21(1! - x 2 ){xi + x 2 - 1)| 

< q\xi — £C2 1 (5) 

for some positive real number q < 1. Thus, P is a contraction function 
on the interval [0.5, P l °(p)] and hence, by the Banach fixpoint theorem 6 , 
the sequence in (4) converges to the fixpoint 0.5 of P. Putting all these 
together, we have that 

lim P"{p) = 0.5 

n— >oo 

for every p G [0.5,1), i.e., for sufficiently large n, the probability that 
Eve correctly identifies any bit of the final key is close to 0.5. 
We now turn to the choice of the number k(p, e) satisfying 

P k{p ' f -\p) < 0.5 + e . 

For the elements of the sequence in (4) we have 

P la+l (p) - 0.5 < (P i0 (p) - P iQ+1 (p)) < e 

for sufficiently large I > 0, where for the Lipschitz constant q we have 

q = 4P la (p) - 2 



Let / : [a,b] — > [a,b] be a contraction function, i.e., there exists a positive real 
number q < 1 (Lipschitz constant) such that \f(x) — f(y)\ < q\x — y\ for every 
a < x,y < b. Then / has exactly one fixpoint x* £ [a,b] and x* = lim f n (s) for 

any s € [a, b]. 
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Table 2. The values for k = k(p, 0.0006) and P k {p) (rounded to five places) for different 
values of p, including those for the particular realizations of KLJN, Liu, and UFL. 



p k = kjp, 0.0006) P k jp) 



0.99 


9 


0.50002 


0.90 


6 


0.50040 


0.85 


5 


0.50001 


0.80 


4 


0.50014 


0.70 


4 


0.50000 


0.65 (UFL) 


3 


0.50003 


0.60 


3 


0.50000 


0.573 (Liu) 


2 


0.50023 


0.55 


2 


0.50005 


0.525 (KLJN) 


2 


0.50000 



by using (5). Notice that q < 1, as P l °(p) < 0.75 by the choice of l . 
Thus, for the convergence rate of the sequence in (3) we get the upper 
bound 



kip,e) < 



A(p) J bq Z\(P ; o(p)) 



Given p and e, one can easily find the exact value of kip, e). For the 
particular value of e = 0.0006 discussed above, we give k(p, e) for different 
p's in Table 2, including p = 0.525 (KLJN [6]), p = 0.573 (Liu [12]), and 
p = 0.65 (UFL [11]). 

As expected, k decreases with p. The practical significance of our pri- 
vacy amplification algorithm is clearly demonstrated for the particular 
realizations of the classical key-distribution schemes. For these physical 
realizations, the generation of a secure bit requires only 4 raw bits for 
the KLJN cipher and the Liu and 8 for the UFL. 



4 Conclusions 

We have studied the effectiveness of a privacy amplification algorithm 
for classical key-distribution schemes. We have found that because of 
the high fidelity of the raw key which is available to Alice and Bob, 
they can always sift a secure, shorter key as long as they can find an 
upper bound of Eve's probability to correctly guess the exchanged key- 
bits. This is in contrast to QKD schemes where the PA is limited to 
situations where the QBERs are lower than a certain value (~ 27% 
for the best QKD scheme). This profound difference stems from Alice's 
and Bob's ability to achieve complete fidelity of their key when using a 
classical key-distribution scheme. Unlike QKD systems, such complete 
fidelity can be achieved if Alice and Bob publish information on their 
measurements, thus allowing each party to deduce the conclusion of the 
other one (secure or non-secure bit exchange). In QKD schemes, detector 
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dark-counts, background noise and Eve's interference with the channel 
necessarily generates errors, which reduce the fidelity of the raw key. 
Regardless Eve's success probability, any desired level of information leak 
can be achieved by sufficient number of iterations of the PA algorithm, 
where there is a clear tradeoff between the "raw" security of the system 
(manifested by Eve's success probability, p) and the required number 
of iterations. For example, using the experimentally estimated leakage of 
the key-bits towards Eve for the UFL, the Liu, and the KLJN schemes, we 
found that information leak level of 10 -8 can be achieved by successively 
applying the PA three times for the first and twice for the second and 
the third. The ability of Alice and Bob to always sift a secure key is 
an important strength of the classical key-distribution schemes, which 
render them highly attractive for practical applications, in particular, 
for noisy channels where sufficiently low QBER is difficult to achieve. 
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